IPv6 Transition Techniques
description
Transcript of IPv6 Transition Techniques
-
IPv6 Routing
Mukom Akong T. (@perfexcellent)
-
After this section, you should be able to:
Describe the need for transition technologies. Understand and configure manual 6in4 tunnels. Understand and configure automatic 6to4 tunneling. Identify and describe the options for v6-v4 translation.
Transition Mechanisms
-
The Problem Transition Mechanisms Solve
www.afrinic.net | slide 3
How do we connect v6 networks over non-v6 capable links? How do we get v6 only networks talking to v4 only networks?
IPv4-only networke.g. the Internet Dual-Stacked Network
v4 & v6
IPv4-only network
IPv6-only network
Tran
siti
on M
echa
nism
s
-
Categories of Transition Techniques
www.afrinic.net | slide 4
Tran
siti
on M
echa
nism
s
Dual
Sta
ck
Tunn
elin
g Tr
ansla
tion
IPv6
Tran
sitio
n Te
chni
ques
-
Your hardware, software, security systems run both v4 and v6. Hosts (desktops, servers, mobile devices, sensors etc) Load balancers Switches (think DHCP & IGMP snooping, etc ) Routers (intra-domain and inter-domain routing protocols) Firewalls, intrusion detection and prevention systems
Dual Stack Network View
www.afrinic.net | slide 5
Tran
siti
on M
echa
nism
s cisco.com
-
Dual Stack Network Node View
www.afrinic.net | slide 6
IPv4 | IPv6 Application
TCP UDP
IPv4 IPv6
Network Medium (e.g. Ethernet, Wireless, Fibre)
Tran
siti
on M
echa
nism
s
-
u Manually specified by the user e.g. http://[2000:100::7]/index.html vs http://192.0.2.1.html ping 2001:db8::a vs ping 192.0.2.1
u Through DNS v4-only application queries, get an A entry and uses v4 v6-only application queries, gets an AAAA record and uses v6 Dual-stacked application queries, gets both A & AAAA and
prefers v6 (or very rarely v4). DNS responses are independent of the L3 protocol ie a host
can query over v4 and get AAAA response.
Stack Selection on a Dual-Stacked Device
www.afrinic.net | slide 7
Tran
siti
on M
echa
nism
s
-
Conguring a Cisco Router for Dual Stack
www.afrinic.net | slide 8
Tran
siti
on M
echa
nism
s
R1(config) ipv6 unicast-routing R1(config) ip cef R1(config) ipv6 cef R1(config) interface fast ethernet 0/2 R1(config-if) ipv6 address 2001:db8:c200::1/64 R1(config-if) ip address 192.168.15.1 255.255.255.0 R1(config-if)#ipv6 ospf 1 area 12 R1(config-if)#ip ospf 1 area 12
R2(config) ipv6 unicast-routing R2(config) ip cef R2(config) ipv6 cef R2(config) interface fast ethernet 0/2 R2(config-if) ipv6 address 2001:db8:c200::2/64 R2(config-if) ip address 192.168.15.2 255.255.255.0 R2(config-if)#ipv6 ospf 1 area 12 R2(config-if)#ip ospf 1 area 12
-
Increased complexity Security policies for both v4 and v6 Two IGP routing protocols & multiple BGP address families Some things work differently in each of the protocols Applications must communicate over both protocols
Increased support costs Higher resource requirements Extra memory for routing database and tables for v6 BGP tables for v4 (300K+) AND a growing v6 BGP table
Some Implications of Running Dual Stack
www.afrinic.net | slide 9
Tran
siti
on M
echa
nism
s
-
u Encapsulate IPv6 within IPv4 packets (v4 protocol number 41). u Source and destination fields are set to the v4 addresses of the tunnel
endpoints. u Tunnel endpoints are either manually configured or derived from transition
addresses.
Tunneling
www.afrinic.net | slide 10
cisco.com
Tr
ansi
tion
Mec
hani
sms
-
u Manual Requires manual configuration at both ends. Pre-agreement for addresses to use at both endpoints.
u Semi automatic, Tunnel Broker [RFC 3053] Remote end is auto-configured, other is manual Router-to-router or host-to-router
u Automatic Tunnels are created on demand. Examples: 6to4, 6rd, ISATAP
Types of Tunnels
www.afrinic.net | slide 11
Tran
siti
on M
echa
nism
s
-
Manual Tunnels
www.afrinic.net | slide 12
Dual-stacked router [DSR] (or host) at both ends. IPv4 reachability between both ends. Public IPv4 addresses on each of the tunnel endpoints.
Pre-requisites
DSR gets a v6 packet on its native v6 interface and routing directs it out the tunnel interface.
DSR encapsulates the v6 packet inside a v4 packet and sends it to the v4 address of the tunnel endpoint. (in the v4 header, v6 is identified by protocol no. 41)
End DSR decapsulates the v4 packet, sees a v6 packet and sends it out its v6 interface according to normal v6 routing table.
How it works
Firewalls in transit might block protocol no. 41. Full cooperation of the tunnel endpoint routers admin is required. MTU issues in the path.
Potential issues
Tran
siti
on M
echa
nism
s
-
Manual Tunneling Example
www.afrinic.net | slide 13
2001:db8:1000::/64 Internet or ISP network 2001:db8:2000::/64192
.0.2.1
/24
198.51.100.1/24
R1 R2
2001:db8:12::1/64 2001
:db8:1
2::2/
64
R1# interface Loopback 0 ip address 192.0.2.1 255.255.255.0 interface Tunnel0 no ip address ipv6 2001:db8:12::1/64 tunnel source Loopback0 tunnel destination 198.51.100.1 tunnel mode ipv6ip tunnel path-mtu-discovery ipv6 route 2001:db8:2000::/64 Tunnel0
R2# interface Loopback 0 ip address 198.51.100.1 255.255.255.0 interface Tunnel0 no ip address ipv6 2001:db8:12::2/64 tunnel source Loopback0 tunnel destination 192.0.2.1 tunnel mode ipv6ip tunnel path-mtu-discovery ipv6 route 2001:db8:1000::/64 Tunnel0
Tran
siti
on M
echa
nism
s
-
6to4 Tunneling [RFC3056]
www.afrinic.net | slide 14
Dual-stacked router [DSR] (or host) at both ends. IPv4 reachability between both ends using public IPv4 addresses.
Pre-requisites
DSR routes packets on its native v6 interface out the tunnel interface. DSR automatically determines the tunnel endpoint (the v4 address that
comes after 2002::/16) DSR encapsulates the v6 packet inside a v4 packet and sends it onwards. End DSR decapsulates the v4 packet, sees a v6 packet and sends it out its
v6 interface according to normal v6 routing table.
How it works
Relays are subject to abuse (DOS & v6 address spoofing) Indiscriminately connecting to any endpoint poses security risks. Asymmetric: different endsites may use different relays. MTU issues in the path.
Potential issues
Tran
siti
on M
echa
nism
s
-
Routing between 6to4 Networks
www.afrinic.net | slide 15
Tran
siti
on M
echa
nism
s
Source: Adeel Ahmed, Ciprian Popoviciu
-
Routing between 6to4 and Native v6
www.afrinic.net | slide 16
A 6to4 relay router connected to native v6 and also to v4 using a 6to4 interface and advertising 2002::/16 to its neighbours
Default gateway on the 6to4 routers or host must be the 6to4 relay address of 192.88.99.1 [2002:c058:6301::/48]
Pre-requisites
6to4 router sends the packets to 2002:c058:6301::/48 (which will get to the nearest relay)
The relay decapsulates the packet and routes normally it out its native v6 interface.
Packets from 6to4 site to native v6 Internet.
Packets follow normal v6 routing and get to native v6 interface of 6to4 relay.
Seeing that the destination is in the 2002::/16 range, the relay extracts the v4 address and creates a tunnel and forwards it over v4 interface.
Routing packets from native v6 Internet to 6to4 site Tra
nsit
ion
Mec
hani
sms
-
Routing between 6to4 and Native v6: Relays
www.afrinic.net | slide 17
Tran
siti
on M
echa
nism
s
Source: Adeel Ahmed, Ciprian Popoviciu
-
6to4 Tunneling Example
www.afrinic.net | slide 18
R1# interface Loopback 0 ip address 192.0.2.1 255.255.255.0 interface Tunnel0 no ip address ipv6 enable tunnel source Loopback0 tunnel mode ipv6ip 6to4 tunnel path-mtu-discovery ipv6 route 2002::/16 Tunnel0 ipv6 route ::/0 2002:C058:6301::
Site A IPv6 network Internet or ISP network Site B IPv6 network192.0.2.1/24
198.51.100.1/24
2002:C633:6401::/48
2002:C000:201::/48
R1 R2
R2# interface Loopback 0 ip address 198.51.100.1 255.255.255.0 interface Tunnel0 no ip address ipv6 enable tunnel source Loopback0 tunnel mode ipv6ip 6to4 tunnel path-mtu-discovery ipv6 route 2002::/16 Tunnel0 ipv6 route ::/0 2002:C058:6301::
Tran
siti
on M
echa
nism
s
-
u 6rd = IPv6 Rapid Deployment (RFC 5969) u Plug-n-play ease of 6to4 without the drawbacks. u Uses an ISPs v6 prefix rather than 2002::/16 thus limiting the
operational domain to the ISPs network.
Tran
siti
on M
echa
nism
sThe 6rd Transition Technique
www.afrinic.net | slide 19
M
ark Tow
nsley, Cisco
-
Tran
siti
on M
echa
nism
sElements of a 6rd System
www.afrinic.net | slide 20
Element Description
6rd prefix An IPv6 prefix selected by SP for use in 6rd Used (instead of 2002::/16) to create 6rd addresses There's only 1 6rd prefix per 6rd domain
6rd delegated prefix Calculated by CE for use within customer site 6rd prefix + CE WAN-side v4 address
CE router
LAN-side: v6 natively implemented WAN-side: v4-only, can be Ethernet, ATM, PPP and use
PPPOE, IPCP, DHCP etc. WAN-side v4 address could be global or private per 6rd
domain A CE could belong to more than one 6rd domain
-
Tran
siti
on M
echa
nism
sElements of a 6rd System
www.afrinic.net | slide 21
Element Description
Border Relay (BR)
Links 6rd domain to external v6 domains/Internet Can be reached via anycast Has at least one each of
IPv4 interface A 6rd virtual interface acting as an endpoint for the
6rd v6-in-v4 tunnel An IPv6 interface connected to the native IPv6
network
6rd virtual interface
Internal multipoint tunnel interface where 6rd encap & decap occurs
Typically one per CE No more than 1 on each BR per domain
-
6to4 6rd Clients network
Dual stack or v6 only Dual stack or v6 only Client IPv6 prefix
2002:::/48 Normal v6 address
Single v6 address :::/n Part or all of client v4 address is
used 6rd prefix
Traffic between site and other IPv6 sites Send packet to 6to4 relay Return path may use diff relay
Send packet to Border Relay (BR) Return traffic sent to same BR
IPv6 Traffic over ISPs Access Network Tunneled within v4, follows v4 routing Tunneled within v4, follows v4 routing
Tran
siti
on M
echa
nism
sFrom 6to4 to 6rd
www.afrinic.net | slide 22
- u X typically ranges from 12 32 bits u Y typically ranges from 8 32 bits u Try to ensure that: (x + y) < 64 so client can still have subnets Prefix lifetimes on LAN
-
Tran
siti
on M
echa
nism
sAuto 6rd Prex Delegation Example
www.afrinic.net | slide 24
M
ark Tow
nsley, Cisco
-
u Install a default route to the 6rd BR u Install a black hole route to the auto-delegated prefix u Install routes for any advertise LAN-side prefixes
Tran
siti
on M
echa
nism
s6rd CPE Routing Behavior
www.afrinic.net | slide 25
-
Allows SP provide v6 over v4-only access network SP can start building v6 experience while migrating rest of the
network Quick to deploy all CPEs get the same configuration
Tran
siti
on M
echa
nism
sAdvantages of 6rd
www.afrinic.net | slide 26
-
Tran
siti
on M
echa
nism
s6rd Conguration | Mandatory Parameters
www.afrinic.net | slide 27
IPv4MaskLen
number of identical high-order bits for all CE IPv4 addresses in the 6rd domain.
This much high order bits are stripped from the v4 address before constructing the 6rd prefix
If clients get /32s, the v4masklen=0 and entire CPE v4 address is used. If clients addresses are from a /n prefix, then v4masklen is 32-n 6rdPrefix & 6rdPrefixLen
Part of ISPs allocation from RIRs Used instead of 2002::/16 to form the v6 prefix for each client site 6rdBRIPv4Address
Analogous to 6to4 relay Used to reach other non-6rd sites
-
u An XMS object retrieved after v4 connectivity is established u A DNS record u SMIv3 MIB u PPP IPCP u Manually by the administrator u DHCPv4 OPTION_6RD (212) Tr
ansi
tion
Mec
hani
sms
Provisioning 6rd CPEs
www.afrinic.net | slide 28
-
ipv6 general-prefix 6rd_PREFIX 6rd Tunnel0 interface Loopback0 ip address 10.0.0.1 255.255.255.0 ! interface Tunnel0 tunnel source Loopback0 tunnel mode ipv6ip 6rd tunnel 6rd ipv4 prefix-len 8 tunnel 6rd prefix 2001:db80::/28 ipv6 address DELEGATED_PREFIX::/128 anycast ! ipv6 route 2001:db80::/28 Tunnel0 ipv6 route 2001:db80:0:1000::/52 Null0
Tran
siti
on M
echa
nism
s6rd Conguration | Border Relay
www.afrinic.net | slide 29
-
ipv6 general-prefix DELEGATED_PREFIX 6rd Tunnel0 interface Dialer0 ip address dhcp ! (10.0.0.10) ! interface Tunnel0 tunnel source Dialer0 tunnel mode ipv6ip 6rd tunnel 6rd ipv4 prefix-len 8 tunnel 6rd prefix 2001:db80::/28 tunnel 6rd br 10.0.0.1 ipv6 address DELEGATED_PREFIX ::/128 anycast ! interface Ethernet0 ipv6 address DELEGATED_PREFIX ::/64 eui-64 ! ipv6 route 2001:db80::/28 Tunnel0 ipv6 route ::/0 Tunnel0 2001:db80:0:1000:: ipv6 route 2001:db80:0:a000::/52 Null0
Tran
siti
on M
echa
nism
s6rd Conguration | CPE
www.afrinic.net | slide 30
-
General Tunnel Conguration Steps [IOS]
www.afrinic.net | slide 31
Tran
siti
on M
echa
nism
s
1 | Create the tunnel Interface
(config)#interface tunnel tunnel-number
2 | Specify the tunnel source
(config-if)tunnel source {interface type-number | a.b.c.d}
3 | Specify the tunnel destination (manual tunnels only)
(config-if)tunnel destination a.b.c.d | hostname
4 | Assign and IPv6 address to the tunnel
(config)#ipv6 address address/prefix-length
5 | Specify the type of the tunnel
(config)#tunnel mode mode
-
Cisco IOS Tunnel Modes
www.afrinic.net | slide 32
Type Configuration Parameter
Tunnel Mode Tunnel Source Tunnel Destination Tunnel IPv6
address
Manual ipv6ip
An IPv4 address or a reference to an interface on which an IPv4 address has been configured.
IPv4 address Global unicast
GRE/IPv4 gre ip IPv4 address Global unicast
6to4 ipv6ip 6to4 Calculated automatically on a per-packet basis
6to4 address
6rd Ipv6ip 6rd
ISATAP ipv6ip isatap ISATAP address
Tran
siti
on M
echa
nism
s
-
u Only mechanism for getting v4 only speaking to v6 only u Operates in two modes: Stateful - one to many v4 address mapping Stateless - one to one address mapping with only IP & ICMP
header translation) u Current Implementations Ecdysis (free and Open Source) MS Forefront UAG DirectAccess Cisco CGv6
IPv4-IPv6 Translation: NAT64 & DNS64
www.afrinic.net | slide 33
Tran
siti
on M
echa
nism
s
-
NAT64 & DNS64 Use Case for Access Networks
www.afrinic.net | slide 34
Tran
siti
on M
echa
nism
s
Source: Marc Blanchette, Viagenie
-
NAT64 & DNS64 Use Case for Content Providers
www.afrinic.net | slide 35
Tran
siti
on M
echa
nism
s
Source: Marc Blanchette, Viagenie
-
NAT64 & DNS64 How it Works
www.afrinic.net | slide 36
Tran
siti
on M
echa
nism
s
DNS64
Regular DNS
v4 Serverwww.example.com
192.0.2.6
NAT64
v6 Host2001:db8::2
A? www.example.com
www.example.com = 192.0.2.6
2
3
Synthesize AAAA from A using WKP 64:ff9b::/96
4AA
AA? w
ww.ex
ample
.com
1
www.
exam
ple.co
m =
64:ff
9b::c
000:2
06
5
6
7
810
Inside: 2001:db8::1Outside: 192.0.2.1
src:2001:db
8::2 | dst:64
:ff9b::c000:
206
src:[64:ff9b::
c000:206 |
src:2001:db
8::2
src:192.0.2.1dst:192.0.2.6src:192.0.2.6dst:192.0.2.1
9 Do v6v4 N
APT
Re-calc checksums
-
After this section, you should be able to:
Describe the various roadblocks holding back IPv6. Brainstorm solutions to the above problems. Identify the key messages to use in selling IPv6 to management Brainstorm a generic IPv6 deployment framework and tailor it to
your own organisation.
IPv6 Business Readiness Class Discussion
-
Challenges you anticipate in your move to IPv6 Addressing plan ideas What kind of help do you need? Suggestions for over-coming the challenges.
www.afrinic.net | slide 38
IPv6
Bus
ines
s R
eadi
ness
Discussion Points
-
Raise awareness Training Network equipment and application audit Modify all RFPs to make IPv6 support mandatory Plan to replace all non-v6 devices/applications with v6-capable versions. Get your IPv6 allocation Enable both IPv6 and IPv4 on your network If ISP doesnt support v6 transit, consider using tunnels
www.afrinic.net | slide 39
IPv6
Bus
ines
s R
eadi
ness
Generic Transition Plan
-
So What Can You Do?!!
www.afrinic.net | slide 40
u Enable IPv6 support for your public servers (DNS, mail, web) Start having experience with what works, doesn't work, fixes.
u On return, gather your colleagues and teach them what you have learnt.
u Subscribe to [email protected] and share experiences/learn.
u Make IPv6 support mandatory in all your equipment and software purchases.
u Get rid of all non-v6 capable operating systems in your network. u Set up a small lab and start experimenting with v6.
-
Thank U | Questions ?
www.afrinic.net